GDPR: 13 Key Terms You Must Know and Apply

[et_pb_section bb_built=”1″][et_pb_row][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.0.99″ background_layout=”light”]

Marathon runners schedule their training and running schedules based on the dates of their races. Once the date is set, runners set and achieve race goals through planning and training. They mark key dates and milestones as the race date approaches to ensure success on race day.

Consider General Data Protection Regulation (GDPR) a marathon for your organization, and race day is 25 May 2018. This is not a sprint; you must be ready for these regulations to last for a long while. Below are some key dates and changes to understand the regulation’s evolution, and to enhance your organization’s readiness for GDPR.

GDPR was not created in a vacuum. Its roots stem from data protection efforts in the mid-1990s with the Data Protection Directive (1995), and protection efforts have grown to reflect the changes in how people interact with information technology. GDPR was adopted by the Council of the European Union (EU) in April 2016, and the May enforcement date comes after a two-year grace period.

GDPR impacts all organizations that do business or sell goods in the EU and collect, process, and store personal data of citizens of the EU. Here are some terms you should know—and be in compliance with:

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Data Subject” _builder_version=”3.0.99″ background_layout=”light”]

Data Subject

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”A %22natural person,%22 that is, an individual, from whom personal data can be collected.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

A “natural person,” that is, an individual, from whom personal data can be collected.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Personal Data” _builder_version=”3.0.99″ background_layout=”light”]

Personal Data

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Any information related to a person (a data subject), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Any information related to a person (a data subject), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Processing” _builder_version=”3.0.99″ background_layout=”light”]

Processing

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Performing any—and the GDPR means %22any%22—operation or set of operations on personal data, including: obtaining, recording, keeping, organizing, altering, retrieving, consulting, using, disclosing the data to a third party (including publication), erasing, and destroying the data.” _builder_version=”3.0.99″ background_layout=”light” header_text_align=”justify” text_orientation=”justified”]

Performing any—and the GDPR means “any”—operation or set of operations on personal data, including: obtaining, recording, keeping, organizing, altering, retrieving, consulting, using, disclosing the data to a third party (including publication), erasing, and destroying the data.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Consent” _builder_version=”3.0.99″ background_layout=”light”]

Consent

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Explicit permission from data subjects. Companies can no longer use long illegible terms and conditions. Instead, the request for consent must be given in intelligible and easily accessible forms. Further, consent must be distinguishable from other matters and provided in clear and plain language. It must equally easy to give consent and to withdraw it. Additionally, collecting information from data subjects who are under age 16 requires parental consent.” _builder_version=”3.0.99″ background_layout=”light” header_text_align=”justify” text_orientation=”justified”]

Explicit permission from data subjects. Companies can no longer use long illegible terms and conditions. Instead, the request for consent must be given in intelligible and easily accessible forms. Further, consent must be distinguishable from other matters and provided in clear and plain language. It must equally easy to give consent and to withdraw it. Additionally, collecting information from data subjects who are under age 16 requires parental consent.
*Please note that GDPR allows for member states to set a lower age, but not below 13.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Data Controller” _builder_version=”3.0.99″ background_layout=”light”]

Data Controller

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”A controller is the person or entity that determines the purposes, conditions, and means of the processing of personal data.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

A controller is the person or entity that determines the purposes, conditions, and means of the processing of personal data.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Data Processor ” _builder_version=”3.0.99″ background_layout=”light”]

Data Processor 

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”The processor is the entity or persons that actually work with and process personal data.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

The processor is the entity or persons that actually work with and process personal data.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Data Protection Officer (DPO)” _builder_version=”3.0.99″ background_layout=”light”]

Data Protection Officer (DPO)

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Organizations that regularly and systematically monitor data subjects on a large scale or process special categories of data or data relating to criminal convictions and offences must appoint a DPO, who has expert knowledge on data protection law and practices. A DPO may be a staff member or an external service provider. Additionally, a DPO’s job must not include any other tasks that could results in a conflict of interest.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Organizations that regularly and systematically monitor data subjects on a large scale or process special categories of data or data relating to criminal convictions and offences must appoint a DPO, who has expert knowledge on data protection law and practices. A DPO may be a staff member or an external service provider. Additionally, a DPO’s job must not include any other tasks that could results in a conflict of interest.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Breach Notification” _builder_version=”3.0.99″ background_layout=”light”]

Breach Notification

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”GDPR makes breach notifications mandatory when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” A breach must be reported to the local data protection authority within 72 hours of discovery and to affected individuals “without undue delay.”” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

GDPR makes breach notifications mandatory when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” A breach must be reported to the local data protection authority within 72 hours of discovery and to affected individuals “without undue delay.”

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Right to Access” _builder_version=”3.0.99″ background_layout=”light”]

Right to Access

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Individuals (data subjects) must be able to obtain confirmation of whether their personal data is processed, for what purpose, and where it’s stored. Controllers must provide a copy of the personal data, free of charge, in an electronic format.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Individuals (data subjects) must be able to obtain confirmation of whether their personal data is processed, for what purpose, and where it’s stored. Controllers must provide a copy of the personal data, free of charge, in an electronic format.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Right to be Forgotten (or Data Erasure)” _builder_version=”3.0.99″ background_layout=”light”]

Right to be Forgotten (or Data Erasure)

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Any data subject can require a data controller to erase his/her personal data, cease data dissemination, and potentially halt third-party data-processing. This right requires controllers to compare the subjects’ rights to %22the public interest in the availability of the data%22 when considering such requests.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Any data subject can require a data controller to erase his/her personal data, cease data dissemination, and potentially halt third-party data-processing. This right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Data Portability ” _builder_version=”3.0.99″ background_layout=”light”]

Data Portability 

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Data subjects can ask for and receive their personal data, and they have can transmit that data to another controller.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Data subjects can ask for and receive their personal data, and they have can transmit that data to another controller.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Privacy by Design” _builder_version=”3.0.99″ background_layout=”light”]

Privacy by Design

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”%22Privacy by design%22 requires security features to be included in system design, not added later (“baked in,” not “bolted on”). While this concept has existed for years, GDPR elevates it to a legal requirement.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

“Privacy by design” requires security features to be included in system design, not added later (“baked in,” not “bolted on”). While this concept has existed for years, GDPR elevates it to a legal requirement.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”1_4″][et_pb_text admin_label=”Penalties” _builder_version=”3.0.99″ background_layout=”light”]

Penalties

[/et_pb_text][/et_pb_column][et_pb_column type=”3_4″][et_pb_text admin_label=”Organizations in breach of GDPR can incur maximum fines up to 4% of annual global turnover or €20 Million (whichever is greater). These rules apply to both controllers and processors — meaning clouds will not be exempt from GDPR enforcement.” _builder_version=”3.0.99″ background_layout=”light” text_orientation=”justified”]

Organizations in breach of GDPR can incur maximum fines up to 4% of annual global turnover or €20 Million (whichever is greater). These rules apply to both controllers and processors — meaning clouds will not be exempt from GDPR enforcement.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.0.99″ background_layout=”light”]

Just as marathon training is best accomplished with help from a successful trainer, getting ready for GDPR compliance should be facilitated by those who understand it. If you need assistance with understanding the requirements for protecting the rights of data subjects (Chapter 3 of GDPR), let FileFacets help teach your staff and meet the requirements. To learn more about FileFacets and GDPR, please visit http://filefacets.com/gdpr-compliance/.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]